Analysis

  • max time kernel
    151s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 10:02

General

  • Target

    1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

  • Size

    1.8MB

  • MD5

    ea782275c1bb27082a299dc3cf210dde

  • SHA1

    3e1237d9965a5fce404154cd3a8583da6a3312a4

  • SHA256

    1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df

  • SHA512

    4a19dd7de63fd17df99a7552d206d5eb4a0d3a12ebe79cf24c580ca88ed4e9c18e3fdb795154899becba4e87ac85b9952493d6326e6ef66f86004f0c0883c244

  • SSDEEP

    49152:PKxsFoq3ZDUcvA0YzmPfndN4HKcw0aUBT2N:P8sRJJYzm3f4HQEBT

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
    "C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
      "C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe
        "C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe"
        3⤵
        • Executes dropped EXE
        PID:1180
      • C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
        "C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe" Microsoft
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:928
      • C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
        "C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe" Microsoft
        3⤵
        • Executes dropped EXE
        PID:1328
    • C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
      "C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe" Windows
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe

    Filesize

    131KB

    MD5

    af9e24849dec91baa236d309b6fc54df

    SHA1

    6effffed3f777e7fe33396430cde07752b50bae6

    SHA256

    82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce

    SHA512

    1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

  • C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe

    Filesize

    131KB

    MD5

    af9e24849dec91baa236d309b6fc54df

    SHA1

    6effffed3f777e7fe33396430cde07752b50bae6

    SHA256

    82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce

    SHA512

    1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

  • C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

    Filesize

    852KB

    MD5

    5e8c019883c1c5bd0fdac3663a863e94

    SHA1

    ad53d21c86af70b7fc791f5879f578758aa04525

    SHA256

    06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676

    SHA512

    1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

  • C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

    Filesize

    852KB

    MD5

    5e8c019883c1c5bd0fdac3663a863e94

    SHA1

    ad53d21c86af70b7fc791f5879f578758aa04525

    SHA256

    06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676

    SHA512

    1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

  • C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

    Filesize

    852KB

    MD5

    5e8c019883c1c5bd0fdac3663a863e94

    SHA1

    ad53d21c86af70b7fc791f5879f578758aa04525

    SHA256

    06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676

    SHA512

    1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

  • C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

    Filesize

    852KB

    MD5

    5e8c019883c1c5bd0fdac3663a863e94

    SHA1

    ad53d21c86af70b7fc791f5879f578758aa04525

    SHA256

    06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676

    SHA512

    1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

  • C:\Users\Admin\AppData\Roaming\Imminent\Logs\29-10-2022

    Filesize

    102B

    MD5

    dde407053cdc227c356ae66057f6e504

    SHA1

    37a4ca31e740dcd1f5123a07204a6fed6129d06e

    SHA256

    2fa2b2e2f851fed61c02226e2ad61cbf59e9a22a40957f2c08979ef63aed6804

    SHA512

    056bbe44690a39a47e2800a487ce7aa680a317b2d5b597dd4a82261d522cb466013125bf79217eef2b75b6eac0e2fd3c947552561bfddc33dacf0fdbb0a8434b

  • C:\Users\Admin\AppData\Roaming\Imminent\Logs\29-10-2022

    Filesize

    139B

    MD5

    0e2f41946322391a5eea51b31ff9d4a0

    SHA1

    01697c4201d9f5d6f9b95456a53cb32e238b1cea

    SHA256

    f98fec983593f98ba6c41e21134bc563ea199886646640ad11874cbcf5f69d97

    SHA512

    3972b0f9a0e1a98e7873b0a1a615b74af93b4bf7cb62ab7c6959094a547f61ea00a5e8854b909d5c1ae8e609259324422567685f8a8c21db54968f1a0cb29366

  • \Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe

    Filesize

    131KB

    MD5

    af9e24849dec91baa236d309b6fc54df

    SHA1

    6effffed3f777e7fe33396430cde07752b50bae6

    SHA256

    82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce

    SHA512

    1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

  • \Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

    Filesize

    852KB

    MD5

    5e8c019883c1c5bd0fdac3663a863e94

    SHA1

    ad53d21c86af70b7fc791f5879f578758aa04525

    SHA256

    06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676

    SHA512

    1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

  • \Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

    Filesize

    852KB

    MD5

    5e8c019883c1c5bd0fdac3663a863e94

    SHA1

    ad53d21c86af70b7fc791f5879f578758aa04525

    SHA256

    06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676

    SHA512

    1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

  • \Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

    Filesize

    852KB

    MD5

    5e8c019883c1c5bd0fdac3663a863e94

    SHA1

    ad53d21c86af70b7fc791f5879f578758aa04525

    SHA256

    06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676

    SHA512

    1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

  • memory/928-95-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/928-85-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/928-106-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/928-99-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/928-97-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/928-91-0x000000000044C6AE-mapping.dmp

  • memory/928-90-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/928-89-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/928-87-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1108-104-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1108-57-0x0000000000000000-mapping.dmp

  • memory/1108-65-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1180-100-0x000007FEF2FD0000-0x000007FEF4066000-memory.dmp

    Filesize

    16.6MB

  • memory/1180-93-0x000007FEF44C0000-0x000007FEF4EE3000-memory.dmp

    Filesize

    10.1MB

  • memory/1180-107-0x0000000000B26000-0x0000000000B45000-memory.dmp

    Filesize

    124KB

  • memory/1180-78-0x0000000000000000-mapping.dmp

  • memory/1180-101-0x0000000000B26000-0x0000000000B45000-memory.dmp

    Filesize

    124KB

  • memory/1848-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1848-54-0x0000000075241000-0x0000000075243000-memory.dmp

    Filesize

    8KB

  • memory/1848-75-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1976-69-0x000000000044C38E-mapping.dmp

  • memory/1976-68-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1976-61-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1976-71-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1976-67-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1976-76-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1976-64-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1976-105-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1976-73-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1976-62-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB